Gathering keylogger evidence

Keyboard Shortcuts

After properly setting up your profiling environment and knowing which Windows Performance Recorder UI options to select for your trace, you want to perform key presses in such a way that will make it easier to spot the recording process later on when you inspect the data. In this video the Windows Performance Recorder is started and note pad is opened up to perform some simple key presses.

- [Narrator] With the settings in place on the WPR UI,and the SVCHost key logging shortcut on our desktop,let's open up Notepad.First, let's double-click on the svchost shortcut,and start the key logging.Let's open up Task Manager and make sure it's running.It's the process with the sameWindows background service symbol, but there is no name.If we right-click on it, and select Go To Details,it will take us to the Details tab.And under the description, it will have the same descriptionof Host Process for Windows Servicesthat the other svchost processes have, the real ones.

So, it's already pretty hidden.We now know it's running.Let's close out of Task Manager,and let's pull out our stop watch.I'm going to use my phone to keep track of time.What we are going to do is click starton the WPR UI menu, and then minimize the window.Then, we click start on our stopwatch.Then, inside Notepad, after 10 seconds,we are going to press and hold down the letter Jon our keyboard for 10 seconds.So, from the 10-second mark to the 20-second mark,on our stopwatch, we're going to be pressing downand holding the letter J on our keyboard.

Then at the 20-second mark, on our stopwatch,we are going to lift our finger and wait for 10 seconds.And then press down and hold the letter K on our keyboardfor another 10 seconds, before lifting our fingerat the 40-second mark.We will do this one more time.We will wait 10 more seconds before pressing downand holding the letter L at the 50-second markfor 10 seconds.The entire collection process is 70 seconds.With us pressing down and holding a buttonon our keyboard every 10 seconds, for 10 seconds.

We do this three times,because in the Windows Performance Analyzer,it will be very clear which process is recording us.If it comes in all three times.This is simply to rule out any coincidencesand remove any doubt that the processwas maybe doing something else.Let's click start, and then immediately minimizethe WPR UI window.After that, let's click start on our stopwatchto start the timer.After 10 seconds, let's press down and hold the letter J.

We're going to do that for 10 seconds.Once it says 20 on the stopwatch, let's lift our finger,and wait for 10 seconds.Once it says 30 on our stopwatch,let's press down and hold the letter K.We're going to press and hold for 10 seconds.Once it says 40 on the stopwatch, lift.And let's wait for 10 seconds.

And one last time, once it says 50 on the stopwatch,press and hold down L.Do this until it says 60 on the stopwatch.Lift.And once it says 1:10 on the stopwatch,70 seconds has passed,we're going to go back to the WPR UI menu and click save.For the comment, let's put key logging evidenceand click save.

By default, the trace file is savedin the user's Documents directory, in the folder WPR Files.Let's go there now by clicking on the Open Folder button.Let's minimize this window to get it out of the way.By default, the trace is named after the computer name,dot, date of the collection, dot etl.And there's a corresponding folder with the same name,only with a dot NGENPDB extension.These are the symbols that are for this trace.It lets us see the function names.

Let's rename both to something more meaningful,like keylogger.etland keyloger.etl.NGENPDB.And that's it, we are done with the collection process.Now, I'm going to keep the key logger running on my machine,so I can show you how to remove it after we find it.But if you want to stop the key logger now, you can,by going back to the Task Manager.It will be in the Background Processes section,in the Processes tab.And it's the one that says it's from Microsoft Corporation,but it has no name.

Right-click on it, and select End Task to kill the process,and to stop the recording.

Resume Transcript Auto-Scroll

Author

Released

9/8/2016

Is your PC running slow? The answer might be more nefarious than you think. Spyware such as keyloggers can often go undetected by antivirus software. Windows Performance Toolkit offers two powerful tools for identifying and gathering evidence of keyloggers: the Recorder, used to record system events, and the Analyzer, used to inspect those events. Join Thomas Pantels as he explains what a keylogger is and demonstrates how it functions and hides in plain sight. Using Windows Performance Toolkit, he shows how to set up a profiling environment to gather evidence and find the keylogger "hooks." Once you've traced the keylogger, you can delete the application and get your computer back on track.